Skip to content
This repository has been archived by the owner on Jan 5, 2024. It is now read-only.

SD-Export-Permissions-Fix-Proposal #106

Closed
wants to merge 1 commit into from
Closed

SD-Export-Permissions-Fix-Proposal #106

wants to merge 1 commit into from

Conversation

illumi420
Copy link

@illumi420 illumi420 commented Oct 11, 2022
edited
Loading

Hello I made some changes in the export.py and the utils.py files to make a work-around for the following issue:

freedomofpress/securedrop-client#1726

I would like to have a feedback if these changes would have a negative influence on the sd-workstation security,
and if not then is it possible to implement them on the Upstream ?

with a new upgrade from the workstation would this lead to overwrite my changes ?

@gonzalo-bulnes gonzalo-bulnes requested review from gonzalo-bulnes, a user and rocodes October 13, 2022 00:27
@gonzalo-bulnes gonzalo-bulnes added the security Needs security engineer input label Oct 13, 2022
@rocodes
Copy link
Contributor

rocodes commented Oct 13, 2022

hi @illumi420 @airblag - thanks for filing this and apologies for not getting back to you sooner on your previous issue. We'll look into this and try to repro your original issue, and get back to you with some feedback.

If you're part of the SecureDrop Workstation pilot and are blocked on this, please also reach out through the official workstation pilot support channels and we'll do what we can to help. Thank you!

@rocodes
Copy link
Contributor

rocodes commented Oct 13, 2022

Thanks @illumi420 @airblag for explaining your use case - I defer to our security engineers, but my initial impression is that yes there's room to loosen the permissions on the export device, although I'd probably make the changes in the directory on the target device rather than in the directory on sd-devices where the tarball is being unpacked.

We'll get back to you when we've had a chance to touch base on this. Just a heads up that we have a lot on the go so this will be triaged along with our other issues. And to your question, yes, updates to or reboots of the target vms will overwrite any temporary changes that are made.

If you're using SecureDrop Workstation in a production setting, please know that while it's been audited, it's still in a closed beta/pilot phase at this point in time. We're interested in hearing from you regardless about your experiences--you can reach us here or at [email protected] (GPG key).

@ghost
Copy link

ghost commented Oct 19, 2022

I very much agree with what @rocodes said. There doesn't seem to be anything harmful about easing up on the permissions here, however the changes should be made to the directory on the target device and not the directory in sd-devices.

@legoktm legoktm mentioned this pull request Dec 13, 2023
Closed
@legoktm
Copy link
Member

legoktm commented Dec 13, 2023

I've moved this PR to freedomofpress/securedrop-client#1740.

@legoktm legoktm closed this Dec 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gonzalo-bulnes gonzalo-bulnes Awaiting requested review from gonzalo-bulnes

@rocodes rocodes Awaiting requested review from rocodes

@lsd-cat lsd-cat Awaiting requested review from lsd-cat

Assignees
No one assigned
Labels
security Needs security engineer input
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@illumi420 @rocodes @legoktm @gonzalo-bulnes